Archive for the ‘internet’ Category

Recently I’ve run into a couple problems related to things like online voting and payment escrow and where I wanted to be able to provide a hosted service for something, that would be transparent and verifiable. To minimize the amount of trust the users would have to put in me, I wanted to not only make the code that I was running publicly available, but also give people the ability to check that my hosted service was actually running the code that I said it was, and I hadn’t deployed something different, or done something to my server that would make it behave differently.

This kind of transparency didn’t seem like a particularly exotic thing to want, so I googled around for people running a platform that would let me do that kind of thing. But I couldn’t find anything, so I thought I’d write it up and see if anyone has done this, or has thoughts on how it should be done.

Why do I want to make hosted stuff transparent? Here’s an example.

Adam and Bob make a bet, and Chris agrees to referee if one of them tries to cheat. To do this, they agree that two people out of three will need to agree to access the money. If Adam and Bob settle the bet as planned, Chris doesn’t need to do anything. If Adam or Bob loses the bet and disappears, Chris will make sure the money goes to the winner. And if Chris wants to run off with Adam and Bob’s money, he’ll have to persuade one or the other to conspire with him.

To help with transactions like these, someone – let’s call them Dave – runs a website that lets them do the following:

Adam goes to Dave’s website and types in his own, Bob’s and Chris’s e-mail addresses.

Dave’s server creates a private BitCoin key and a public BitCoin address. The private key can be used to access money sent to the public address.

Dave’s server splits the private key into three parts, and sends a different two parts of the three to each of Adam, Bob and Chris along with the public BitCoin address.

Dave’s server deletes the key, so it won’t be able to access the money that Adam and Bob are about to pay in.

Adam and Bob pay their stakes to the public address.

When the bet is settled, the loser sends their part of the private key to the winner, who can now access the money.

If the loser fails to send the winner their part of the private key, the referee will send theirs to the winner instead.

The problem: How can Adam, Bob and Chris trust that Dave isn’t going to secretly copy the private key, then use it to steal the money?

The solution: The software and hardware Dave is running should be publicly verifiable wherever possible, or failing that verifiably in the control of a large, trusted organization with little incentive to cheat.

Thinking about the way cloud hosting works right now, we might do something like this:

The server hardware the service runs on is controlled by Rackspace/Amazon.

The server OS and core software are based on a publicly available image, if possible created using a transparent process by a trusted party (ideally Rackspace/Amazon, as we have to trust them anyway).

The setup steps for the publicly available image are automated based on a public source code repository whose history cannot be modified, and nobody is able to log into the server and change them.

A public record is available showing which image is being used for the IP address of the service.

A public record is available showing which source code repository was used.

The best I think I could do using existing services would be something like:

On EC2 someone (let’s call them Ed) would create a publicly available AMI based on an official Linux AMI, and publicize the steps he used to make it. I’ll call it Ed’s Transparent AMI.

Ed’s Transparent AMI would have SSH logins disabled.

Ed’s Transparent AMI would run a script on boot specified by a parameter.

Dave would create his setup script and check it into a public Subversion repo on Google Code.

Dave would create read-only credentials for his EC2 account and publish them.

Dave would launch an instance using Ed’s Transparent AMI, specifying his setup script.

Dave would (probably) map a DNS name to the IP address of his instance.

If the system allowed Dave to update things after the instance was set up, his changes would have to go through public version control, probably using something like Puppet.

If Adam, Bob or Chris wanted to check up on Dave, they would:

Look up the IP address of the site.

Use the public EC2 credentials to find out which instance was attached to the IP address.

Use the public EC2 credentials to check which script the instance was using.

Check the history of the script on Google Code to make sure Dave hadn’t done anything suspicious.

If anyone wanted to check Ed’s Transparent AMI, I guess they’d follow the steps he said he’d used to create it and compare what they got with what he was providing, which is the best we can do for third-party AMIs right now.

The problem is that if someone is voting outside a secure voting booth, we can’t be sure that someone isn’t watching how they vote. If someone can watch how you vote, they can bribe or pressure you to vote in the way they want. Some people have concluded that it’s impossible to have a secret ballot using online voting.

Heads Or Tails Voting gives you a secret ballot in plain sight. The voter has a single secret piece of information which is never displayed on their computer screen: Whether they are a Heads Voter or a Tails Voter. Using this secret, they can vote without anyone ever knowing how they voted – even if someone was looking over their shoulder as they did it.

Here’s how it works.

Registration

You register in a secure booth. Like an existing voting booth, only one person is allowed in at a time, and you have to prove who you are before you are allowed to use it.

Using the computer in the booth, you create a login name and password that you will be able to use from your PC or mobile phone.

The computer randomly chooses either Heads or Tails, and tells you which it chose. This information is stored in the voting database along with your password, and no-one else knows whether your are a Heads Voter or a Tails Voter.

You only have to visit the booth once, unless you forget whether you are a Heads Voter or a Tails Voter. Everything else can be done from your PC or your phone.

Voting (Yes or No)

Log into the voting website using your login name and password.

The screen shows the choices for Heads Voters on one side and Tails Voters on the other side.

If you are a Heads Voter, click the top checkbox to vote “Yes” or the bottom checkbox to vote “No”.

If you are a Tails Voter, click the top checkbox to vote “No” or the bottom checkbox to vote “Yes”.

Rearrange the order of the candidates by dragging their names to the left or right.

If you are a Heads Voter, put your favourite candidate on the left and your least favourite candidate on the right.

If you are a Tails Voter, put your favourite candidate on the right and your least favourite candidate on the left.

What Happens If…

If you forget whether you are a Heads Voter or a Tails Voter, you can go back to the registration booth and find out.

If someone tries to force you to vote the way they want, you can trick them by lying about whether you are a Heads Voter or a Tails Voter, and make your actual votes go to whoever you think will annoy them the most.

If someone steals your login name and password, they’ll have to guess whether you are a Heads Voter or a Tails Voter. Since they only have a 50/50 chance of guessing right, they will be as likely to hurt their chosen candidate as help them.

With the chance that Britain may soon decide to experiment with democracy by replacing the House of Lords with an elected second chamber, there’s been a fair bit of discussion recently about what form it should take; Some people want only 100 or so senators, others want to use all the seats in the room. Some people want them to be up for election repeatedly, and some people thing they should serve a single term then retire. But there’s very little controversy about the basic design: One way or another, usually involving occasional popular votes, we come up with a list of representatives who will make all the decisions for us.

When nineteenth-century engineers set out to design a keyboard for their new-fangled typewriters, they had some serious technical limitations to deal with. Famously, the typewriters of the day suffered from jammed keys if you typed too fast on them, so we ended up with an arrangement that spread the keys out to put the frequently-used ones further apart.

People designing electoral systems up until the nineteenth-century had some even more constraining limitations to deal with. They were supposed to represent the wishes of millions of people, but it was hard to arrange a meaningful discussion between more than a few hundred. They were supposed to help us make decisions affecting people over hundreds of miles, but getting just a single communication – let alone a conversation – backwards and forwards between someone at one end of the country and someone else at the other end could take over a day. Asking people their opinions was expensive, so you couldn’t afford to do it too often.

Like the keyboard designers, people came up with some creative solutions. The country is arbitrarily divided into electoral areas (constituencies) and each area elects its own representative. People can decide on representatives without knowing what’s going on at the other end of the country, and can make their decisions based on a discussion with somebody close to them. To avoid lots of expensive votes, you pick your representative only once every few years; since the choice you’re making is simple and local, it’s easy to administer. Primitive versions of this system would have a single choice, marked with an “x” (in case you couldn’t write) per person per election. It was simple, crude and cheap, tailored to fit the technology of its time.

Modern keyboards don’t have a problem with stuck keys, and the logistical problems that we worked around with constituencies and parliaments have now been solved. We can have discussions with people without them all being in the same room. We can count a million electronic votes in less than a second. We don’t need constituencies with arbitrary boundries gerrymandered by parties arguing about over bus routes, and we don’t need to restrict our choices in elections to whatever bozo did the best job of sucking up to the local party.

If we wanted a democratic, responsive government, and we weren’t worried about nineteenth-century logistics, here’s how we do it:

1) Start with the concept that everyone gets a vote on everything. If you want to have your say on Article 234Z of Amendment 4B of the Dry Cleaning Regulation Bill, you should be able to exercise it. That didn’t used to be practical; now we have the internet. Vote on everything that way. Problem solved.

2) We don’t need everyone in the same room – we can talk about everything on the web. That means we don’t need a limit on how many people can participate; let anyone join in whatever discussions they like, and let people use whatever ignore filters and reputation systems they like to make sure the people with the most to say get heard.

3) Most people won’t know or care about a lot of issues, or they’ll prefer to let someone they trust figure it out for them. Let them delegate their votes to anyone they like – a friend, a political party, a union, a charity, anyone.

4) Logistically, we don’t need constituencies anymore, and they don’t serve any other useful purpose, so get rid of them. If people value having someone local to represent them, they can delegate their votes to the person of their choice. If for some reason they don’t identify with that local area (as in “I am British, I am English, I am European, but most of all I belong to Oxford West and Abingdon!”) they can delegate their votes based on something else.

This is how Democracy will look in the future. Direct democracy where you want it, representative democracy where you don’t. A local connection where you prefer, national expertise if you’d rather have that instead. Five-year elections and parliaments will be confined to the dustbin of history. We will look back on them as a thing of the past, like those weird old-fashioned qwerty keyboards. Oh, hang on….

Right around the time we all started getting mobile phones, people often used to comment that they were losing the ability to remember phone numbers.

As we get used to having Google on-demand, people are starting to say that they’re using the ability to remember anything.

Much as it may upset the Daily Telegraph, this is a rational response to the acquision of our new information super-powers. When information was hard to get, you needed to spend your time hoarding knowledge that you might need. Now that we can pull up all the information we want in a few minutes, it makes sense to tune out anything you don’t immediately need .

Q: What do you get when you combine the Feiler Faster Thesis (voters are comfortable processing info quickly) with the Theory of the Two Electorates (the mass of voters who don’t follow politics are less informed than they used to be and only tune in at the last minute)…

A: You get elections that are a) close but b) might not look close three, two, or even one day before the vote…

In the US primaries, a few people here have commented how badly out a lot of the polling has been. It would be interested to know if the late surges that have been a feature of this race are a result of more people making their minds up later in a way they didn’t used to – which could, in turn, be a result of the way the internet has change the way we think.

If this is what’s happening, it will have implications well beyond the US race; Polling will get less reliable, and politicians who fail to grasp what Google has done to our brains will lose.

Guest blogging over at orangebyname, I’ve argued that a lot of aspects of our current democracy – constituencies, representatives, parliaments, etc. are ways of solving 19th Century logistical problems that no longer exist, and we should get rid of them all and just vote for everything over the internet.

What I’ve suggested is just giving everyone a vote on everything, but letting them delegate it to any person or group they want to.

At this point, some people will be wondering whether internet voting doesn’t have a bunch of logistical problems of its own.

Basically, there are three kinds of problems we have to deal with: Usability, security and secrecy.

1) Usability

Most people are increasingly happy using a computer interface, but there are a few who still don’t get it, and don’t particularly want to. We don’t need to worry too much about them because we can make our new system backwards-compatible with the old one; We can setup ballot boxes once every 5 years or so where people who haven’t signed up as online voters can delegate all their votes to an old-fashioned political party.

2) Security

This is a bit harder, because most people’s computers have long-since been owned by Chinese hackers. That said, in most cases people’s home PCs seem to be good enough for online banking and gambling, so we can probably live with it, even if we do end up passing the occasional spammer subsidy law or whatever. In any case, these problems should get better over time as users become increasingly clueful.

3) Secrecy

This is the problem that a lot of people seem to think is effectively unsolvable – but they’re wrong. The aim here is that it should be impractical to bribe or intimidate people into voting the way you want, because it’s impossible to verify how somebody has voted. That way, with the exception of Japanese people, who have wierd ethics, attempting to buy a vote should tip off the voter that you can’t be trusted, so they can just take your money, promise to support you and go and vote for your opponent. Likewise, intimidation is likely to be counter-productive because you just annoy the intimidatee, who’s obviously going to vote for someone else if he’s confident that you’re not going to find out what he did. In both cases, the key to keeping the system fair is to allow voters to lie to everybody else about how they voted.

Until now we’ve done this by having people vote in closed, managed spaces where nobody can see how you’re voting, but people can see whether you’re being observed. This obviously doesn’t work if you’re voting at home using your computer because it would be too expensive to send somebody over to your house to make sure nobody’s watching when you do it.

At this point it’s worth pointing out that the system we have is already full of holes. For one thing, we also allow voting by post or by proxy, where there’s no way to confirm who actually cast the vote; It would be trivial to apply for a postal vote and then sell it to the highest bidder – you could even do this anonymously, so you’d never even know who you were selling it to. Not only that, voting in a closed space is also now subject to a bunch of vulnerabilities that weren’t there when they came up with the system hundreds of years ago. Everyone carries a little camera around with them attached to their phone, and you can even buy tiny concealable cameras that would allow you to video the whole thing to prove to your vote buyer that they’re getting their money’s worth. Within a decade, the biggest headache for polling officials is likely to be getting people to turn off the cameras on their glasses.

With online voting we can solve these problems. But we’ll need people to show up once – only once – in a managed environment like our current voting booths. Except it will be better secured than our current voting booths, because you’ll be able to show up and do this any time you like instead of everyone having to do it on the same day, so it can be staffed and managed by professionals instead of volunteer old ladies. Or we could stick the things in vans and have them drive around the place like mobile libraries or TV detector vans.

Anyhow, all you’ll have to do at these booths is create some accounts with usernames and passwords that you’ll use to do your online voting. Not a single account – several. (Or as many as you like.) Why several? Because only one of them will work – the other two will be dummies. When you use them to vote, the dummy accounts will look exactly like the real ones – but their votes won’t be counted. The only way to tell which account is which will be from inside the secure booth. That way if someone tries to buy your vote, you can log in with one of your dummies, vote the way he’s telling you and take his money. If you like you can log in again later and cast your real vote.

Alternatively, to fully leverage the power of bloody-mindedness when people try to tell you what to do, we could set it up so that you only have a single account, but you get to choose whether its effect is positive or negative. Then if your violent father tries to force you to vote for his local self-appointed Community Leader, you can sit their clicking obediently while actually casting your vote against him. Nah.

Problem solved.

There we have it: Online voting – usable, secret and (mostly) secure. Pity there’s nothing we can do about the spammer subsidies, though.